How can we tell an instruction is from application code or library code on Linux x86_64

Question

I wanted to know whether an instruction is from the application itself or from the library code. I observed some application code/data are located at about 0x000055xxxx while libraries and mmaped regions are by default located at 0x00007fcxxxx. Can I use for example, 0x00007f00...00 as a boundary to tell instruction is from the application itself or from the library?

How can I configure this boundary in Linux kernel?

---

Updated.

Can I prevent (or detect) a syscall instruction being issued from application code (only allow it to go through libc). Maybe we can do a binary scan, but due to the variable length of instruction, it's hard to prevent unintended syscall instruction.

Answer 1

Do it the other way. You need to learn a lot.

First, read a lot more about operating systems. So read the Operating Systems: Three Easy Pieces textbook.

Then, learn more about ASLR.

Read also Drepper's How to write shared libraries and Levine's Linkers and loaders book.

You want to use pmap(1) and proc(5).

You probably want to parse the /proc/self/maps pseudo-file from inside your program. Or use dladdr(3).

To get some insight, run cat /proc/$$/maps and cat /proc/self/maps in a Linux terminal

Answer 2

I wanted to know whether an instruction is from userspace or from library code.

You are confused: both library code and main executable code are userspace.

On Linux x86_64, you can distinguish kernel addresses from userpsace addresses, because the kernel addresses are in the FFFF8000'00000000 through FFFFFFFF'FFFFFFFF range on current (48-bit) implementations. See canonical form address description here.

I observed some application code/data are located at about 0x000055xxxx while libraries and mmaped regions are by default located at 0x00007fcxxxx. Can I use for example, 0x00007f00...00 as a boundary to tell instruction is from the application itself or from the library?

No, in general you can't. An application can be linked to load anywhere within canonical address space (though most applications aren't).

As Basile Starynkevitch already answered, you'll need to parse /proc/$pid/maps, or know what address the executable is linked to load at (for non-PIE binary).